agent-v3-memory-specialist
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill's
pre_executionandpost_executionhooks invokenpx agentic-flow@alpha. This fetches and executes code from the public NPM registry at runtime. Using an unpinned pre-release tag (@alpha) rather than a specific version hash introduces a supply chain risk where the remote code could be modified or replaced by an attacker or a compromised dependency. - [COMMAND_EXECUTION]: The skill executes shell commands to perform environment checks and store memory patterns. This includes a non-standard redirection
2>$dev$null. If the environment variable$devis uninitialized (a common scenario), this command redirects errors to a local file namednullinstead of the standard/dev/nulldevice, which is unconventional and can result in unexpected file system artifacts. - [PROMPT_INJECTION]: The skill exposes an indirect prompt injection surface as it is designed to ingest and process data from external memory backends (SQLite, Markdown). While it lacks explicit 'ignore previous instructions' patterns, it does not define boundary markers or sanitization procedures for the content retrieved from these external sources, which could potentially contain malicious instructions that influence the agent's behavior during the 'unification' process.
- Ingestion points: Processes data from multiple memory backends including
SQLiteBackendandMarkdownBackend(documented in SKILL.md). - Boundary markers: None present in the migration or query logic.
- Capability inventory: Executes shell commands via hooks and performs database storage/retrieval operations.
- Sanitization: No evidence of content sanitization or instruction filtering for external memory entries.
Audit Metadata